BOKARO STEEL CITY, Jharkhand—500 million people use TikTok globally, and 43% are based in India. Chances are your mobile has the app installed on it. Do you know that the app is sharing your data with its business partners, advertising networks, cloud service providers, data centre hosts and search engine providers?
In a recent study, researchers from International Computer Science Institute (ISCI) found that 1325 Android apps harvest user data despite being denied permission. Serge Egelman, director of ICSI, says that most of the users are unaware of this fact, and they have no tools to ensure that apps do not collect their sensitive data.
Except maybe when they don’t install apps at all, or spend 200 hours a year reading privacy policies of all the apps they use—something which is not possible. Let’s know how apps are able to access our data even after being denied permission.
Android’s two-level permission ecosystem for apps
Android, developed and maintained by Google, is the most popular mobile platform in India. As explained in Egelman’s report, the permission ecosystem developed by Android for downloading apps from its play store has two levels.
First, an app must request for permission to access resources from you. You can choose to allow or deny those permissions. However, in reality you might find the apps behaving erratically if some permissions are denied.
Two, Android operating system ensures that the permissions granted by you are implemented. Unfortunately, mobile apps have found various means to circumvent Android’s two-level permission ecosystem.
How apps harvest data without permission
In his paper, Egelman says that there are two methods that the apps use to harvest data they are not allowed to access—covert channels and side channels.
Covert channel is a communication path between two applications that exchange data the receiving app is not permitted to access. For example, App A is allowed to access Data A is but not App B. In such a scenario, the two apps can establish a covert channel through which App A can transmit Data A to App B.
Side channel is a communication channel used by an app to bypass the limitations imposed by its permissions. For example, if copies of Data A are available at multiple places in the mobile, any app can access it from those locations, whose permissions are not explicit.
Typical data harvested by apps
You should know which data apps generally try to store, so that they can track and profile your activities. In case you are wondering, this is so that they can insert relevant ads in the app you have downloaded. Pure business tactics, and nothing else.
The International Mobile Entity Identification (IMEI) number uniquely identifies each mobile. It can be used to track even stolen mobiles. As this number never changes, tracking it can give the apps your exact location at any given point of time. You can reset other parameters but not IMEI.
Researchers at ICSI identified two third party online providers—Baidu and Salmonad—collecting this information even without permission.
153 apps, including Hong Kong and Shanghai Disney theme park apps, Samsung Health and Samsung Browser, transmit IMEI to Baidu’s server. Five apps were transmitting this data to Salmonad’s server.
The lackadaisical approach of Android towards user security can be gauged from the fact that except 20, all these apps had permission to read the IMEI number. The remaining 20 can easily establish covert channels with other apps, especially because they share the same SDK. These 20 apps have been installed at least 700 million times, according to Play Store figures.
Network and Router MAC addresses
MAC address is another persistent identifier useful to the advertisers and analytics companies because it is hardware based. Unity is one of the most popular game engines and used by many apps. The researchers found 42 apps transmitting MAC address back to the Unity servers. They also found that more than 12,408 apps are capable of doing this, out of which 748 did not have explicit permission to access this data.
The ICSI research team shared these findings, with proofs, with Google. They have promised to fix these errors in Android Q, which is slated to release this quarter.
This is another data that advertisers are very interested in. During the study, 70 apps sending geolocation data back to 45 servers were identified. These apps were able to harvest this data from other information that had the geolocation embedded in it. This is again something that Google must rectify.
Serving geolocation data on a platter to apps, whether they have permission or not, is simply foolishness. For example, Shutterfly app is able to get precise location information from the metadata embedded in photos.
Why apps are able to establish covert and side channels
Many factors come into play when it comes to accessing data the apps are not allowed to.
Android play store does not check validity of requested permissions
Android does not check whether the permissions requested by apps are actually needed by them. With millions of apps available on the play store it could seem difficult to do, but this can be easily be verified before the app is published.
Issues with software
As more and more businesses look to develop and publish mobile apps quickly, developers are always looking at ways to reduce time and effort required. Software development kits (SDKs) are used to create high quality apps with minimum resources. But these SDKs can compromise user security intentionally or unintentionally.
Most of the SDKs go to great lengths to obfuscate personal data to keep them secure. However, the same obfuscation technique is used by apps while transmitting sensitive data back to their server, escaping detection.
Many third-party development platforms like Baidu, Salmonad and OpenX contain code to intentionally exploit Android vulnerabilities to access personal data.
Data stored at multiple places
Weak or rogue SDKs and complex APIs can give rise to a situation where the same data is stored at multiple locations. Not all of these locations maybe secure. Apps can access such data from the insecure locations.
Accessing embedded data
Much of the information is indirectly embedded in files. For example, images store location information and date of taking that image. An app interested in tracking mobile location can exploit this vulnerability to know the exact location of the user every time a photo is clicked. Which is practically many times in a day!!
What, and how much, can users do to be safe
This article does not intend to scare you into leading an app free life (though that could drastically improve the quality of everyday existence!!). Idea is to be aware of what could be at stake and do something about it, like:
- Download only those apps you absolutely need.
- Download trusted apps only; Google for information about the app.
- Don’t hesitate to uninstall an app as soon as you are finished using it.
- If something can be done through the website, use it, don’t use the app.
Recently I put out a post on LinkedIn regarding Android apps stealing our data without permission. As one user commented on that post — if you want privacy trust your home; you want to keep a secret trust your brain; everything else is vulnerable.